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Abstract 

We provide a non-interactive quantum bit commitment scheme which has statisticahy- 
hiding and computationally-binding properties from any quantum one-way function. Our 
protocol is basically a parallel composition of the previous non-interactive quantum bit 
commitment schemes (based on quantum one-way permutations, due to Dumais, Mayers 
and Salvail (EUROCRYPT 2000)) with pairwise independent hash functions. To con- 
struct our non-interactive quantum bit commitment scheme from any quantum one-way 
function, we follow the procedure below: (i) from Dumais-Mayers-Salvail scheme to a 
weakly-hiding and l-out-of-2 binding commitment (of a parallel variant); (ii) from the 
weakly-hiding and l-out-of-2 binding commitment to a strongly-hiding and l-out-of-2 
binding commitment; (iii) from the strongly-hiding and l-out-of-2 binding commitment 
to a normal statistically-hiding commitment. In the classical case, statistically-hiding bit 
commitment scheme (by Haitner, Nguyen, Ong, Reingold and Vadhan (SIAM J. Com- 
put., Vol.39, 2009)) is also constructible from any one-way function. While the classical 
statistically-hiding bit commitment has large round complexity, our quantum scheme is 
non-interactive, which is advantageous over the classical schemes. A main technical con- 
tribution is to provide a quantum analogue of the new interactive hashing theorem, due 
to Haitner and Reingold (CCC 2007). Moreover, the parallel composition enables us to 
simplify the security analysis drastically. 
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1 Introduction 

A bit commitment is a fundamental cryptographic protocol between two parties. The protocol 
consists of two phases: commit phase and reveal phase. In the commit phase, the sender, say 
Alice, has a bit b in her private space and she wants to commit b to the receiver, say Bob. 
They exchange messages and at the end of the commit phase Bob gets some information that 
represents b. In the reveal phase, Alice confides b to Bob by exchanging messages. At the 
end of the reveal phase. Bob judges whether the information gotten in the reveal phase really 
represents b or not. Basically, there are three requirements for secure bit commitment: the 
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correctness, the hiding property and the binding property. The correctness guarantees that 
if both parties are honest then, for any bit b G {0, 1} AUce has, Bob accepts with certainty. 
The hiding property guarantees that (cheating) Bob cannot reveal the committed bit during 
the commit phase. The binding property guarantees that (cheating) Alice cannot commit 
her bit b such that Alice maliciously reveal 6 © 1 as her committed bit but Bob accepts. 

In the classical case, a simple argument shows the impossibility of bit commitment with 
the hiding and the binding properties both statistical. Thus, either hiding or binding must be 
computational. A construction of statistically-binding scheme from any pseudorandom gen- 
erator was given by Naor [23] . Since the existence of one-way functions is equivalent to that of 
pseudorandom generators [18] , the statistically-binding scheme can be based on any one-way 
function. A construction of statistically-hiding scheme (NOW scheme) from one-way permu- 
tation was given by Naor, Ostrovsky, Venkatesan and Yung |24j . After that, the assumption 
of the existence of one-way permutation was relaxed to that of approximable-preimage-size 
one-way function [12J. Finally, Haitner and Reingold [15j showed that a statistically-hiding 
scheme (HNORV scheme |13] ) can be based on any one-way function. 

Since statistically-binding (resp., statistically-hiding) bit commitment schemes are used 
as building block for zero-knowledge proof (resp., zero- knowledge argument) systems [TOIE], 
it is desirable to be efficient from several viewpoints (e.g., the total size of messages exchanged 
during the protocol, or the round number of communications in the protocol). In general, 
the round complexity of statistically-hiding schemes is large (see, e.g., [HIITT]). 

Let us move on the quantum case. After the unconditionally security of the BB84 quantum 
key distribution protocol [2j was shown, the possibility of unconditionally secure quantum 
bit commitments had been investigated. Unfortunately, the impossibility of unconditionally 
secure quantum bit commitment was shown |2H I22j. After that, some relaxations such as 
quantum string commitment flOl or cheat-sensitive quantum bit commitment [U \T7\ |4] have 
been studied. 

In this paper, we take the computational approach as in the classical case. Along this 
line, Dumais, Mayers and Salvail [8j showed a construction of perfectly-hiding quantum bit 
commitment scheme (DMS scheme) based on quantum one-way permutation. The non- 
interactivity in DMS scheme is advantageous over the classical statistically-hiding bit com- 
mitments. Unfortunately, we have not found any candidate of quantum one-way permuta- 
tion, because known candidates for classical one-way permutation are no longer one-way in 
the quantum setting due to Shor's algorithm ^26j. Koshiba and Odaira [20] observed that the 
binding property of DMS scheme holds for any quantum one-way functions and showed that 
any approximable-preimage-size quantum one-way function suffices for the statistical hiding 
property. 

In this paper, we further generalize statistically-hiding quantum bit commitment schemes 
in [U [20] and show that a statistically-hiding quantum bit commitment is constructible from 
any general quantum one-way function without losing the non-interactivity. We basically 
follow the steps of the proof in |13j . Thus, we remark the similarity and differences. 
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• As in HNORV scheme |13] . we consider to construct a l-out-of-2 binding commitment 
scheme based on any quantum one-way function as an intermediate scheme. Our l-out- 
of-2 binding commitment scheme executes in parallel two commitment schemes where 
one of the two commitment schemes satisfies the binding property and the other does 
not have to satisfy the binding property. Note that any adversary for the classical l-out- 
of-2 binding commitment (of the serial composition) cannot see the second commitment 
just after getting the first commitment. But, in our case, the adversary can get both 
the first and the second commitments, which may be correlated. Thus, we have to cope 
with the adversary that can have more information. One of important technical tools 
in |13j is so-called "new interactive hashing theorem" [14]. We provides a quantum 
analogue of the new interactive hashing theorem. 

• Since the resulting l-out-of-2 binding commitment scheme satisfies the hiding property 
only in a weak sense, some hiding amplification technique is applied to yield a l-out-of-2 
binding commitment scheme with the hiding property in a strong sense. To this end, 
we just consider the repetitional use of quantum one-way function and show that the 
simple repetition works for the hiding amplification. In [13) . an amplification procedure 
is recursively iterated and an iterative analysis is made. Due to the parallel composition, 
we can drastically simplify the security analysis of the hiding amplification. 

• Finally, we construct a (normal) statistically-hiding quantum bit commitment from the 
l-out-of-2 binding commitment scheme. Unlike HNORV scheme, we do not use, in this 
step, the technique of universal one-way hash functions, which requires interactions. 

Remark. In the quantum setting, there are several definitions for the binding property of 
commitment schemes. In |7], a satisfactory definition is given. Nonetheless, we adopt a 
weaker definition as in [8j and construct a non-interactive quantum bit commitment scheme 
based on the weak definition. It seems much more difficult to prove the security of our 
construction according to the definition in ^ by using our techniques. I believe that the weak 
definition is sufficient for some applications. Actually, a construction of quantum oblivious 
transfer from a quantum string commitment (of a special type) with a similar weak binding 
condition was given in 



2 Preliminaries 

2.1 Notations and Conventions 

We denote the m-dimensional Hilbert space by Hm- Let {|0), |1)} denote the computational 
basis for H2. When the context requires, we write to denote |6) in the computational 
basis. Let {|0)x,|l)x} denote the diagonal basis, where |0)x = "^(|0) + |l)x = 

-^(|0) — |1)). For any x = xiX2---Xn G {0,1}" and 6 G {-|-, x}, \x)e denotes the state 
(S>f=i\xi)e. We denote |0) • • • (g) |0) by |0). For projections, we denote = |0)(0|, Vl = 
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|1)(1|, -po ^ |0)x(0|, and V^, = |l)x(l|- For any x G {0,1}", we denote = 0^=1^+' and 
"^x = ®i=i^x'- For the sake of simplicity, we also write instead oiV^. We define 0(0) = + 
and 9{1) = x. Thus, for any w € {0, 1}, {"P^i-^.^lxeio,!}" the von Neumann measurement. 

For density matrices a and p, we define 6{a,p) '= \\a — p\\i, where ||v4||i = ^trV A^A. For 
two classical random variables X and Y, there exists the corresponding density matrices px 
and py- Since 5{px,Py) also represents the variation distance (a.k.a. statistical distance) 
between X and Y, we sometimes write 6{X,Y) instead of S{px,Py)- We denote the min- 
entropy of a random variable X by Hoo(-'^^) and the Renyi entropy (of order 2) by H2(X). 
We denote the uniform distribution over {0, l}" by Un- For a set A, we sometimes use the 
same symbol to denote the uniform distribution over the set A. A function i/ : N — )■ M is 
negligible if for every polynomial p there exists ng G N such for all n > no, z^(n) < l/p(n). 
We denote a set of integers {i G N : rai < i < 712} by [ni, 712]. 

2.2 Quantum One- Way Functions 

In order to give definitions of quantum one-way functions, we have to decide a model of 
quantum computation. In this paper, we consider (uniform or non-uniform) quantum cir- 
cuit family. As a universal quantum gate set, we take the controlled-NOT, the one-qubit 
Hadamard gate, and arbitrary one-qubit non-trivial rotation gate. The computational com- 
plexity of a circuit C is measured by the number of elementary gates (in the universal gate 
set) contained in C and denoted by size{C). For any circuit family C = if size{Cn) 

is bounded by p{n) for some polynomial p, C is called p-size circuit family. 

Let / = {/„ : {0,1}"" —7- {0, Ij^^^^jngN be a function family. To compute /, we need 
a circuit family {Cn}neN where C„ is a circuit on m(n) > i{n) qubits. To compute fnix) 
for X G {0, 1}", we apply C„ to \x) (g) \o)'^rn{n)-n _ ^he output of Cn is obtained by the von 
Neumann measurement in the computational basis on i{n) qubits. 

Definition 2.1 A function family f = {fn- {0, 1}" {0, l}^(")}„eN is s{n)-secure quantum 
one-way if 

• there exists a p-size circuit family C = {Cn}nen such that, for all n > 1 and all x G 
{0, 1}", Cn{\x) ® |0)) = fn{x) with certainty; 

• for every p-size circuit family B = {Bn\n& and for sufficiently large n, 

Pr[/n(H„(/n(C/n))) = /n(C/n)] < ^/s{n). 

If / is p(n)-secure quantum one-way for every polynomial p, then / is said to be p-secure. 

Quantum one-way function / is said to be r(n)-regular if for any y G supp(/(?7„)), 
\{x G {0,1}" : fn{x) = y]\ = 2''("). Without loss of generality, we can consider quantum 
one-way functions that are length-preserving, that is, £(n) = n, because general quantum 
one-way functions can be converted into ones that are length-preserving. 



4 



2.3 Quantum Bit Commitment 

In a non-interactive quantum bit commitment scheme, honest Ahce with her bit w G {0, 1} 
starts with a system Haii = Hkccp® H open (XiH commit in the initial state |0), executes a quantum 
circuit Cn,w on |0) returning the final state \ipw) £ Haii and finally sends the subsystem Hcommit 
to Bob in the reduced state pb{w) = a{\'4'w) {i^w\) , where Alice's Hilbert space is = 
Hkeep ® Hopen- For w E {0, 1}, we call pb{w) w- commitment state. Once the system Hcommit 
(or, u)-commitment state) is sent to Bob, Alice has only access to Pa{w) = trB(|'0^)('0«,|), 
where Bob's Hilbert space is = Hcommit- To reveal the commitment, Alice needs only to 
send the system Hopon together with w. Bob then checks the value of w by measuring the 
system Hopen ® Hcommit with some measurement that is fixed by the protocol in view of w. 
Bob obtains w = w = 1, oi w = 1. when the value of w is rejected. 

Cheating Alice must start with the state |0) of some system H^u = Hextra <^ H^ ® Hcommit- 
A quantum circuit Vn that acts on H^u is executed to obtain a state and the subsystem 
Hcommit IS Sent to Bob. Later, any quantum circuit On which acts on Hgxtra ® H^eep <^ Hopen 
can be executed before sending the subsystem Hopen to Bob. The important quantum circuits 
which act on H extra "^H keep <S5 Hopen are the quantum circuits Onfl (resp., On,i) which maximizes 
the probability that bit w = Q (resp., li; = 1) is revealed with success. Therefore, any attack 
can be modeled by triplets of quantum circuits {{Vn^, Onfl, C'n,i)}neN- 

Let boin) (resp., 6i(n)) be the probability that she succeeds to reveal (resp., 1) using the 
corresponding optimal circuit Onfl (resp., On,i)- The definition of hu,{n) explicitly requires 
that the value of w, which cheating Alice tries to open, is chosen not only before the execution 
of the measurement on Hopen ® Hcommit by Bob but also before the execution of the circuit 
On,w by cheating Alice. 

In the quantum setting, it is pointed out in [22] that the requirement "6o(ra) = V 
hi{n) = 0" for the binding condition is too strong. Thus, we adopt a weaker condition 
h{n) '= bQ{n) + bi{n) — 1 < e where e(n) is negligible, which is the same condition as in [8]. 

Since we consider the computational binding, we modify the above discussion so as to 
fit the computational setting. Instead of the triplet {Vn^Onfl^On,!}, we consider a pair 
{VnflMn)- If we set Vnfl = {Onfl (^^commit) ' T^n, and Un = On,i ■ O^ f), we Can easily see that 
the adversary's strategy does not change. Note that Vnfl acts in Haii and Un is restricted to 

act only in Hextra Hkeep <^ Hopen - 

Definition 2.2 A non-interactive quantum bit commitment is t{n)- computationally-binding 
if, for every a family {(I'n,0)^n)}neN of p-size circuit pairs, b{n) is bounded by t{n). If 
t{n) is negligible in n, the non-interactive quantum bit commitment is simply said to be 
computationally-binding. 

Definition 2.3 A non-interactive quantum bit commitment is t{n)-statistically-binding if 
b(n) < t{n). If t(n) is negligible in n, the non-interactive quantum bit commitment is simply 
said to be statistically-hiding. 
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As mentioned, a satisfactory definition for the binding property of quantum bit commit- 
ment schemes is given by Damgard, Fehr, Renner, Salvail and Schaffner [7j. Actually, they 
show that a variant of DMS scheme satisfies the binding condition in [7|. However, it is still 
unclear whether the inverting quantum one-way permutation is reducible to violating the 
binding condition. We rather adopt a weaker definition in [8] in order to benefit from the 
computational reducibility. 

2.4 Pairwise Independent Hash Functions 

Let H = {i^njnGN be a sequence of function families, where each Hn is a family of functions 
mapping binary strings of length l[n) to strings of length v{n). We say that is a pairwise 
independent (a.k.a. strongly 2-universal) hash family if for any distinct x' G {0, 
and y,y' G {0,1}^("), Vik^hAKx) = y /\ h{x') = y'] = 2-2'^^. (See, e.g., [5j for an 
implementation of pairwise independent hash family.) 

One of the useful applications of pairwise independent hash family is smoothing the min- 
entropy of given distribution. 

Lemma 2.1 (Leftover Hash Lemma) Let Vn be a random variable over {0, such that 
Hoo(^) ^ A„ and Hn be a pairwise independent hash family where each h G Hn maps strings 
of length i{n) to strings of length Xn—2log{e^^). Then, we have 6{{Hn, Hn{Vn)), iHn,Uy(^n))) ^ 
e. 

3 Base Scheme 

Dumais, Mayers and Salvail [8j gave a non-interactive statistically-hiding quantum bit com- 
mitment based on quantum one-way permutation. Koshiba and Odaira [20] observed that 
DMS scheme still satisfies the computational binding if we replace quantum one-way per- 
mutation with general quantum one-way function. So, we consider to use the scheme as an 
important ingredient of the construction of our non-interactive statistically-hiding quantum 
bit commitment based on quantum one-way function. 

We briefly review the scheme. Let / = {/„ : {0, 1}" — )■ {0, l}"}neN be a function family. 
The quantum bit commitment scheme takes the security parameter n and the description of 
function family / as common inputs. For given / and the security parameter n, Alice and 
Bob determine /„. The protocol, called Base Protocol, is described in Figured) 

Proposition 3.1 (Implicit in [8] and explicit in [20]) Let / = {/„: {0, 1}" {0, l}"}„eN be 
a family of (not necessarily quantum one-way) functions such that 6{f{Un),Un) is negligible 
in n. Then, Base Protocol is statistically hiding. 

Proposition 3.2 (Implicit in [8] and explicit in [20]) Let f = {/„, : {0,1}" {0, 1}"}„6n 
be an s(n)-secure quantum one-way function family. Then Base Protocol is 0(1/ y^s{n))- 
computationally binding. 



6 



Commit Phase: 

1. Alice with her bit w first chooses x G {0, l}*^ uniformly and computes y = fn{x)- 

2. Next, Alice sends the quantum state |/n(a;))6)(^) G Hcommit to Bob. 

3. Bob then stores the received quantum state until Reveal Phase. 

Reveal Phase: 

1. Alice first announces w and x to Bob. 

2. Next, Bob measures pB with measurement {-Pg(^)}yeran5e(/„) ^^'^ obtains the classical 
output y' £ range{fn)- 

3. Lastly, Bob accepts if and only if y' = fn{x). 

Figure 1: Base Protocol 

In this paper, we do not use directly the above properties. We need to generalize Propo- 
sition [321 In non-interactive commitment protocols, Alice sends a commitment y in Commit 
Phase and a decommitment x in Reveal Phase. To make Bob accept, the pair (y, x) must 
be in some binary relation In case of Base Protocol, the binary relation is defined as 
Rn = {{fn{x),x) : x £ {0, 1}"}. We can rephrase the statement of Proposition 13.21 in terms 
of the binary relation It says that if cheating Alice can output distinct pairs {y,x) and 
{y',x') both in i?„ such that the probability to reveal with success by using is bo{n), 

the probability to reveal 1 with success by using (x', y') is bi{n), and 6o(n)+6i(n) > 1+a/ s(n), 
then there exists an algorithm that, given fn{x) as input, outputs x such that (/„(x), x) G Rn 
with probability i}{s{n)). Since Base Protocol is based on quantum one-way function, the 
definition of Rn is quite natural. On the other hand, we may define a binary relation as 
R'n = : X S Wn} by using some subset Wn C {0, 1}". We discuss a generalization 

of Proposition 13.21 in the next section. 



4 Non- interactive Quantum Hashing Theorem 

The following theorem is a quantum correspondenc^ of the new interactive hashing theorem 
in [H] and it is one of the most technical ingredients in this paper. 

Theorem 4.1 (Non-interactive Quantum Hashing Theorem) Let f = {/„ : {0, 1}" — t- {0, 

be an s{n)-secure quantum one-way function family. Suppose that Wn is a subset o/ {0, 1}" 

and define the binary relation R'^ as R'n = {{fnix),x) : x E Wn}- If there exists an algorithm 

^Exactly speaking, Theorem 14.11 corresponds to a special case of the new interactive hashing theorem in [14) 
and the current form suffices for our purpose. As in [14], we can derive a more general form of Non- interactive 
Quantum Hashing Theorem. 
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against Base Protocol that can output distinct pairs {y,x) and {y',x') both in R'^ such that 
the probability to reveal with success by using {x,y) is 6o(n), the probability to reveal 1 with 
success by using {x\ y') is bi{n), and bo{n) + bi{n) > 1 + s{n), then there exists another al- 
gorithm that, given y" £ /n(M^n) as input, outputs x" such that {y" ,x") G i?^ with probability 
Cl{s{n)), where y" is propotionally selected from fniWn)- 

If Wn is closed to Un in the statement above, Non-interactive Quantum Hashing Theorem 
can be directly applied to construct an inverter of the quantum one-way function as in [U |20] . 
However, if Wn is far from C/„, it is not directly related to the inversion of the quantum one- 
way function. In the next section, we discuss how to use it even in the case where Wn is far 
from Un- 

For the proof of Theorem 14.11 we can adapt the proof of Proposition 13.21 In the original 
proof in [8j of Proposition 13.21 some "test circuits" are utilized. The existence of test circuits 
is an obstacle to the generalization. A careful analysis shows that such test circuits are 
redundant. 

Proof. We separate the whole system into three parts: the system Hcommit that encodes 
the functional value, the system Hopen that encodes inputs to the function, and the system 
Hkeep is the reminder of the system. 

Perfect Case: 

In the perfect case, we can assume that an adversary {VnfiMn^n&i reveals the committed 
bit in both ways perfectly. That is, the states iV'n.o) (resp., IV'n,!)) of the whole system when 
If = (resp., w = 1) will be committed can be written as follows. 



where ExeH/„ II l«o,x)f = Exeiy„ II l«i,^)lP = 1- 

Let -p^''^"™™!* a]2(l -p^.commit -^^ ^j^g projection operators "P" and respectively, acting 

in Hcommit- We are interested in properties on the state Iv'^g) ~ 'Px''^°™™*l^n,o) which plays 
an important role for the inverter. 

Now we consider an algorithm to invert y G fniWn)- Thus, we assume that y is encoded 
as input to the inverter in Hjnv Before considering the inverter, we consider properties on 
the states \ip'^ q) for every u G {0, 1}": 

1. = 2-"/2; 

2. there exists an efficient circuit Wn on Hinv ® Hopen ® Hcommit which if u is in Hjnv, 
unitarily maps iV'n.o) to 2"/^|(/j5^ q); 



X 



8 



If the above properties are true, we can consider an inverter as follows. On input y, the 
inverter generates the state iV'n.o) by applying P„_o to |0), then applies W„ and Un in order, 
and finally measures Hopcn to obtain z G fn^iv)- 

In what follows, we show each property is true. First, we show Property 1. We write 
{iprtfi) using the diagonal basis for Hcommit) and then we have 

xeWn \ue-fo,i>" 



xew„ \ue{o,i}" 



commit 

'x 



u e {0, 1}" 



Since 

= 2-"/2 ^ (_l)(«./n(x))|^^^^^keep^|^^open^|^^ commit^ 

xeWn 

Property 1 holds. Next, we consider Property 3. Since the state |V'n,i) can be written as 



commit 
X ' 



uefniWn) \2e/-i(«) / 
it implies that for every u G fn{Wn) 

7/ i u \ 7/ ^w, commit I , \ ^u.commit, / i , \ 

^nWnfi) = UnV^ |^„,o) = ^n|V'n,o) 

(Note that Un is restricted to act in H^ccp® Hopcn and thus Un and p^''^"™™* ^re commutablc.) 
Thus, Property 3 holds. Finally, we consider Property 2. We describe how to implement Wn 
mapping from 

into 

(_^)(«,/„W>|^)inv ^ l^^open ^ |^)commit 

for every u G fn(Wn), which satisfies the requirement. First we apply the mapping \u)"" (8) 
^ (_i)(">/n(x)>|^ynv ^ | 3, commit^ ^j^i^i^ efficiently implemented by 

using the Hadamard gate and the controlled-NOT gate. Secondly, we apply the mapping 
|x)°P^" (g) |u)'=°"'™'* |x)°P^" (g) |u e which can be implemented by the efficient 

evaluation circuit of /„. Thirdly, we apply the mapping ly)'""^ (8) i->- (g) |y © 

^^commit^ which Can be efficiently implemented by using the controlled-NOT gate. Finally, 
we apply the Hadamard gate to the all qubits in Hcommit- It is easy to verify that the above 
procedure satisfies the requirement. Thus, Property 2 holds. 
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General Case: 

In the general case, the states \tpn,o) = ^n,o|0) and |'0n,i) = Z^n|V'n,o) can be generally written 
as 

\^n,o) = J2 l«o,.,,)'^^P®|x)°P'^'^®|y);°°^'"", and 

a;e{o,i}",j/e{o,i}" 

xe{o,i}",ye{o,i}" 

where J2x,y II |aO,a;,j/)f = J2x,y II l"i,^^,y>f = 1- 

We assume that bo{n) + 61 (n) > 1 + for some polynomial p, where 



bo{n)= \\\ao,x,U{x))f and 61 (n) = J] II |ai,x,/„ 

X&Wn X&Wn 



ix))f- 



Then we will show that the success probability pi^v for inverting the underlying quantum 
one-way function is greater than l/4(p(n))^. 

First, the state |V'n,o) can be written as follows. 



commit 



+ 51 \^0,x,z)^""" ® ® |^^commit_ 

fn{x)^z or a;0W„ 

Remember that the state in the perfect case can be written as 

|V'n,0)= l«x,0)'^^^PC5|x)°P'^^C5|/n(x))~^ 
xeW„ 

Then we have 

|«o,.)'^^^P = (6o(n))-^/^|ao,.,/„(-))'''^' 60 (n) = ^ II |«o,.,/„(-)) f = KV'n.ojV^n.o)!'. 

On input y, the inverter generates the state iV'n.o) by applying P„^o to |0). We then apply 
in order >V„ and Un to the resulting state and finally measures Hopen to hopefully obtain 

^ e f-\y). 

We have to estimate the success probability of the inverter. To this end, we define two 
projections: 

Vo = Y ® p/n{^).commit 

Pi def px,open p/„(a:), commit 

xeWn 

Then we have 6o(?^) = ll'^o 1^^71,0) |P and 61 (n) = HT'il'i/'n,!) |P- Here, we claim that the success 
probability pinv satisfies 

Piny = \\VlUnVo\i^n,o)f- 
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We will see this claim. As mentioned, the state is |y)'°^0|'0n,o) with probability ||7^o|V'n,o) IP 
bo^n), where y is the input to the inverter. As we see in the perfect case, Wn maps the state 
\ipn,o) into 2"'/^|(/9^q) = 2"/^T'x '^°™™'*IV'n,o)- After that, we apply Un and measure He 
Thus, the success probability Pmviu) for input y is written as 



'open' 



-pz.opon 1 -p 



y, commit 



Averaging over all value according to the output distribution of fn, we have 

Pinv = ^ Pr[y = fn{Un)]Pmv{y) 



E 



.open 1 ^ J,?/, commit 



^ ^ p.,open ^p.,commit | | 

= \\riUnVo\i^n,o)f. 

Furthermore, we rewrite the above to easily estimate the value of pu 



Pu 



= \\ri\i>n,l)-VlUnVi-\4Jn,0)f. 

Using the triangle inequality and 61 (n) > 1 — bo^n), we have 

Pinv > [\\VSn,l)\\ - \\riUnV^\i>nfi)\\y 
> (ll^l|^n,l>||-||n^|^n,0)||)' 

= (VM^-\/l-^o(n))'. 

Let us recall that we assume that 60 (n) + 61 (n) > 1 + l/p{n) for some polynomial p. After 
some calculation, we have 



Pinv >2-l/p- 2^/1 - l/p > l/4(p(n))2. 
This completes the proof of Theorem 14.11 



□ 
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5 l-out-of-2 binding commitment from quantum one-way func- 
tion 



A l-out-of-2 binding (we denote by (^) -binding) commitment scheme consists of two commit- 
ment schemes where one of the two commitment schemes satisfies the binding property and 
the other does not have to satisfy the binding property. In [13], Haitner et al. introduced 
a notion of l-out-of-2 binding commitment schemes and gave a construction of (^) -binding 
commitment schemes based on one-way function. We also consider a quantum version of 
(^) -binding commitment scheme and construct a (^) -binding quantum commitment scheme. 

We define a 2-parallel quantum bit commitment scheme 11 = (111,112), which is a parallel 
composition of two non- interactive quantum bit commitment schemes Hi and 112. At the 
beginning of the protocol 11, Alice has two bits wi and W2- H consists of two phases. Commit 
Phase and Reveal Phase, as the standard bit commitment schemes do. In Commit Phase, 
Alice (in 11) invokes Commit Phase of Hi and sends i^i-commitment state (of Hi) to Bob. 
Also she invokes Commit Phase of 112 and sends ri;2-commitment state (of 112) to Bob. We 
call the joint state of the ii;i-commitment state (of Hi) and the it;2-commitment state (of 112) 
(w I, w 2) -commitment state (of 11). In Reveal phase, Alice sends decommitments both of Hi 
and 112. Bob accepts if the both decommitments are valid. 

Next, we would like to define "computational l-out-of-2 binding". In the classical case, 
it is defined in terms of transcripts. In the quantum case, the definition based on transcripts 
is not easy to handle with. Fortunately, our protocol below has a classical inner-state which 
controls the l-out-of-2 binding property. Thus, after providing our protocol, we will give 
a protocol-specific definition of computational l-out-of-2 binding. Moreover, we discuss the 
hiding property later. 

We give our 2-parallel quantum bit commitment protocol (called Protocol 1) in Figure [2j 
While a sequential composition is discussed in [l3|, our protocol runs Base Protocol twice in 
parallel. 

Definition 5.1 Protocol 1 is computationally l-out-of-2-binding if there exists a set S C 
{0, 1}" such that for every function e{n) = l/poly(n), the first half of the 2-parallel quantum 
bit commitment is e(n)-computationally-binding on condition that a randomly chosen x falls 
into S and the second half is e(n)-statistically-binding on condition that x does not fall into 
S. 

Next, we define the hiding property. Unfortunately, the hiding property of Protocol 1 is 
not so strong. This is because the preimage-size of / is not constant over the inputs. Thus, 
we consider the following weak definition of the binding property. 

Definition 5.2 If, for any 7 with < 7 < 1, there exists a subset T C {0, 1}*^ satisfying the 
following two properties, then 2-parallel quantum bit commitment is ^-hiding. 
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Parameters: Integers t G [l,n], Ai G [0,t] and A2 G [0,n — t]. 
Commit Phase: 



1. Alice with her two bits wi and W2 first chooses x G {0, 1}" uniformly and computes 
y = fn{x)- She also randomly chooses two hash functions hi and /i2 from families of 
pairwise independent hash functions il^^^ = {hi : {0,1}" — t- {0, 1}*~^i} and H^^^ = 
{h2 : {0, 1}'* ^ {0, l}"-*-^2}^ respectively. 

2. Next, Alice sends the quantum state 

\hl,hi{y))g(^u,^) (g) |/l2,/i2(a;))e(^2) ^ Hcommiti ® Hcommit2 

to Bob. 

3. Bob then stores the received quantum state ps until the reveal phase. 
Reveal Phase: 

1. Alice announces the first decommitment {wi,hi,y) and the second decommitment 
{w2, h2, x) to Bob. 

2. Next, Bob measures the first register of pB with measurement zerange{hi) 
and obtains the classical output {h,z) G H^^^ x range{hi). Also he simultaneously 
measures the second register with measurement {^^{^yj^^h'^H^^) z'emnge{h2) ^^"^ obtains 
the classical output {h',z') G H^'^^ x range{h2)- 

3. Lastly, Bob accepts the first commitment if and only if h{y) = z. Also he accepts the 
second commitment if and only if h'{z') = x and y = fn{x). 

Figure 2: Protocol 1 



13 



1. |r| > 7 - 2". 

2. Let wi,W2 G {0, 1}. Let Zi{wi) be a random variable for the first half of the commit- 
ment when wi is the first bit to be committed and Z2{w2) be a random variable for the 
second half when W2 is the second bit to be committed, on condition that x is uniformly 
chosen from F. Namely, the value for (Zi,Z2) takes l^*') ^'(^))e(iD2) 
where h is uniformly chosen from H^^\ h' is uniformly chosen from H^"^^ and x is 
uniformly chosen from T. Then, (Zi(0), ^2(0)), (Zi(0), ^2(1)), (Zi(l), ^2(0)) and 
(Zi(l), ^2(1)) are negligibly close to each other. 

Theorem 5.1 Let f = {/„ : {0,1}" — )• {0, l}"}„gN be an s{n)-secure regular quantum 
one-way function family, where s{n) = n'^^^\ Then Protocol 1 with setting of parameters 
Ai = A2 = I logs(n), is a 2-parallel quantum bit commitment scheme that is computationally 
l-out-of-2 binding, regardless of the setting oft. 

While HNORV scheme is two sequential of commitment schemes, ours is two parallel of 
quantum commitment schemes. Thus, we have to take into the account that the second half 
of the commitment might increase the power of the adversary. Fortunately, such information 
can be included in the adversary's private space Hkeep and we can use the same reduction 
as in Base Protocol. Actually, this observation plays an important role through the paper. 
Moreover, there is another difficulty in the analysis. Since the computational property of (^)- 
binding commitment is conditional (i.e., x G 5), we have to consider the reduction between 
two algorithms whose input distributions are different. To overcome the difficulty, we use 
Non-interactive Quantum Hashing Theorem. While the proof of the computational part is 
similar to the proof in [13j , the proof of the statistical part is completely different from the 
proof in [T3] because it involves the analysis of quantum states. 
Proof. For every t E [1,"^], we define the set of "heavy" strings to be 

St = {xe f-\y) : Pr[/„(C/„) =y]> 2-*-^-^} 

for the parameter A3 = ^s(n). 

We will show that \i x ^ St is chosen in the first step of Commit Phase then the ffist half 
is binding and \i x ^ St then the second half is binding. 

First, we show a reduction from inverting /„ to violating the binding property of Protocol 
1 in the case of x G St- Let f'^ : H^'^^ x {0, 1}" H^'^^ x {0, l}*-^i be a function that 
maps {h,x) to {h,h{fn{x))). We define R'^ = {{f^{h,x),{h,x)) : x €^ St and h £ H^^^} and 
Wh,, = {x e {OAr : ir],{h,x)) G R'J. 

Let Ai be a quantum algorithm to violate the binding property (with respect to R'A of 
Protocol 1 with probability e(n). Then, from Theorem 14. H we have another algorithm A2 
that inverts f'^{h,x). Namely, 

FT[A2{H^'\H^'\fn{Un))) € Wj,a) ,hW if„iUr.))] > ^^f/^' 
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For each h G H^^^ and x G {0, 1}", we consider 

Pr[^.(/^,(/,.,r))eU;,,,^;„(.,))] 



Ph,: 



and set 



\fi.-\fi,{h,x))\ 



T = {ih,x):pn,,>'-^}. 



By the counting argument, we have |r| > e'^{n)/8 ■ 2'^\H^^^\. Here, we estimate the fohowing 
probabihty: 

> Yl ^M2{h, KUx))) G ■ Pr[il(^) =h^ Ut-A, = Hfnix))] 

(h,x)eT 

> £^(n)/64. 

We consider an algorithm B that on input y = fn{x), picks randomly a hash function 
h G H^^\ and outputs A2{h,h{y)). We analysis the probability that B inverts /„ in the 
following. 

PT[B{fn{Un)) G f-Hfn{Un))] 

= Bf^^Hw[P4A2{h,h{fn{Un))) G /"^ (/n(C/n))]] 



= E 



= E 



P4fn{Un) = fn{x) A A2{h, h{f{Xn))) = x] 

a:6{0,l}" 

J2 Pr[/n(C/n) = fn{x)] ■ Pv[A2{h,v) = 

ri,x S.t. Tj=h{f„{x)) 

J2 P^fniUn) = fn{x)] ■ Pr[^2(/l,r/) = x] 

TI,X S.t. X&Wfi^ji 



> 2 



E 



Y PT[A2{h,v) 
ri,x S.t. x^Wh,r) 



X\ 



64 



= s(n) 



-3/4 . 



64 ^ 



which is greater than l/s(n) if £ is non-negligible. 

Next, we consider the case x St- We define Wy = {{h,h{x)) : h G H^"^^ and x G 
C {0, l}"^, where q is the length of {h,h{x)). Any (possibly cheating) quantum state 
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for the second commitment can be written as follows: 



ZeWy Z^Wy 

since {|-z) + }ze{o,i}'j is a basis. Then bo{n) = J2zew l^^^l^) Since \ip) can be written as 



{u,z)\ 



UGWy Z£{0,1}1 



bi{n) 



U&Wy 



ui^Wy ze{o,i}i 



29 



To maximize bo{n) + bi{n), we set a = 



a. 



bo{n). On the condition that 6o("-) = 



61 (n) achieves the maximum when \az\ is uniformly distributed. Actually, it is sufficient to 
consider the case where 



Oz 



- a)/{2i - \Wy\) otherwise. 



Then, we have bi{n) = {./^^\W^\ + ^{1 - a)(29 - \Wy\)f/2i. Let ^ = \Wy\/2i. Thus, we 
have 



b{n) = l + {2a- 1)C + 2Va(l -a)e(l -0- 
After some calculation, we have b{n) < 1 + y^. Since 



2"— t— A2 ~ 2"~*~^2 
we can say that b{n) < 1 + 1 /n^^^^ . 



□ 



Theorem 5.2 Let f = : {0,1}" — )• {0, Ij^jngN an s{n)-secure quantum one-way 
function family, where s{n) = n^^^\ Then, there exists t = to G [l,n] such that Protocol 1 
satisfies {l/n)-hiding if we set Ai = A2 = \ \og s{n). 

First, we suppose that / is a regular quantum one-way function. Then the preimage- 
size is always constant. This means that H2 (/([/„)) is also constant. If the parameter t is 
correctly given (i.e., t = H2(/(C/n))), the first and the second commitment states are almost 
maximally mixed. Though there is a small amount of correlation between the first and the 
second commitment states, we can regard the joint state as a quantum state close to the 
maximally mixed state by the following lemma, which is a quantum version of Lemma 2.5 in 
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Lemma 5.1 Let p be a mixed state such that p = '^^Px\x){x\ Px- If there exists a mixed 
state a' such that 5{px,cr') < £ for all x, then S{p,a) < e, where a = ^xPx\^)i^\ ® 

Proof. 

<^(P> ^) = ^trY^(p-(7)t(p-a) = ^ XI Px^t^\/{Px-(^')HPx-(^') <£^Px = £- 

X X 

□ 

Proof. (Theorem ??) We will see the first property. Let p{y) = Pr [/„([/„) = y] and 
p{X) = |X|/2". For any t G [l,n], let At = {y e {0,1}" : 2"* < < 2-*+i}. Since 

= /„({0, l}*^), there exists to such that Pr[/„(?7„) G AjJ > 1/n. Then, we define Ti 
and r2 as follows: 

Li = {x G {0, 1}" : < 2-*o+i} and 

r2 = {xG{0,ir:p(/„(x))>2-*n, 

and set F = Fi n Thus, it is easy to see that Fi U r2 = {0, 1}" and /i(F) > 1/n. 

Next, we will see the second property. Let Ci and C2 be subsystems for Hcommiti and 
Hcommit2! respectively. Assume that Alice has two bits wi (resp., W2) for the first (resp., the 
second) half of the commitment. Also assume that x falls into F. 

Let p be the quantum state tTc2iPB)- Then, p can be written as 

P = p7^:(T^I^>^(/n(a;)))e(«;i)(^,^(/n(a;))|. 

xer,heHW ' ' ' ' 

Let 

ze{o,i}*-^i,heHW ' ' 

z€{0,iy-^l,h€Hm ' ' 

Then i'^= l-^. = Lx is the uniform distribution. By Leftover Hash Lemma, we have 6{p,l) < 

2-Ai/2_ 

Next we let p'{y) be the quantum state tiCiiPB) when y = fnix) is given. (Note that any 
elements in f^^{y) are also in F. Thus, the likelihood of x is the same as that of any other 
x' G fn^iv)-) Then, p'{y) can be written as 

p\y) = Yl \f-U \\ |Tj(2)| l^'^(^))g("'2)(^.^(a^)l- 
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Let 

2e{o,i}"-«-^2,/je_H'(2) ' ' 

Then l' *== = t'^ is the uniform distribution. By Leftover Hash Lemma, we have 
'^(p'(y)) ''') — 2^'^2/2 £qj. g^j^y y_ gy L emm a 1 5 ■ 1 1 aucj the triangle inequahty, we have 



for any 'Wi,'W2 G {0, 1}. □ 



6 Hiding Amplification 

In the previous section, we showed that Protocol 1 based on quantum one-way function holds a 
"weak" hiding property. In this section, we amplify the "weak" hiding property to a "strong" 
one. We consider parallel executions of Protocol 1 to amplify the hiding probability from 
1/n to 1 — 2~"'"^^\ We describe the resulting parallel protocol (called Protocol 2) in Figure 

El 

In the rest of this section, we state that Protocol 2 achieves (1 — 2^""*^^)-hiding and 
preserves the binding property. 

Theorem 6.1 Let f = : {0,1}" — )• {0, l}"}„gN be an s{n)-secure quantum one-way 
function family, where s{n) = n^^^\ Then, there exists t = to £ [^,n] such that Protocol 2 
satisfies (1 — 2~^^^^^^) -hiding if we set Ai = A2 = ;jlogs(n). 

Due to the parallel composition, the proof becomes quite simpler than the proof of the 
hiding amplification in [13]. The proof of Theorem 16 . 1 1 can be done by a standard probabilistic 
argument. 

Proof. We will see the first property. Recall that L = {x G {0, l}" : 2"*" < p{fn{x)) < 
2-to+i} for some to- Let N = and V = {(xi, . . . , x„2) G ({0,1}")"' : G T}. 

We consider the probability p where some Xi falls in F. Since /i(F) > 1/n, we have that 
p > l-(l-l/n)"'. By the fact that l-t < we have p > l-e"" > 1-2"" = 1-2"^'''". 

Next, we will see the second property. Let (xi, . . . , x„2) G F'. By the definition of F', we 
may assume that xj G F for some J G [l,n,^]. Recall that Zi{wi) is of the form 

\hl,l, hi^{fn{xi)))e(^nji^i) • • • |/li_„2,/li^„2(/„(x„2)))e(^„^^^2) 



18 



Parameters: Integers t G [l,n], Ai G [0,t] and A2 G [0,n — t]. 
Commit Phase: 

1. Alice with her two bits wi and W2 first chooses xi,...,x„2 G ({0,1}")"^ uniformly 
and computes yi = /„ (xi ),..., ?/„2 = /„(x„2). Also, she uniformly and indepen- 
dently chooses pairwise independent hash functions . . . , /ii „2 G (i/^^))"^ and 

2 2 

2. Alice chooses wi^i, . . . , u^i ,^2 G ({0,1})"^ and W2,i, ■ ■ ■ ,W2^n^ G ({0,1})" such that 
wi = wi^i © • • • © it^i,n2 and ■i/;2 = ^2,1 © • • • © ^«2,n2- 

3. Next, Alice sends the quantum state 

1^1,1, /ll,l(yi))e(«,i,i) ^ ••• ^ I^l,n2>/il,n2(yri^))0(«.j^2) 

«)|/i2,l,/l2,l(a;i))e(«;2,l) ® • • • ® I^2,n2'^2,n2(x„2))e(^^^^2) ^ (Hcommiti )®'*'' (Hcommita) 

to Bob. 

4. Bob then stores the received quantum state ps until the reveal phase. 
Reveal Phase: 

1. Alice announces the first decommitments {wi^i, /ii^i, yi), . . . , „2, /i^ „2, ?/„2) and the 
second decommitments (iU2,i, ^2,1, a^i), • • • > ('"^2,n2 ) ^2,^2 , x„2 ) to Bob. 

2. Next, Bob measures the first register of with measurement 

and obtains the classical output {hi,zi,. . . ,/i„2,2;„2), where each (hi,Zi) is in X 
range{hi^i). Also he simultaneously measures the second register with measurement 

and obtains the classical output {h\,z'i, . . . ,h'^2,z'^2), where each {h'^,z'j) is in X 
range{h2,i). 

3. Lastly, Bob accepts the first commitment if and only if hi{yi) = Zi for every z, and 
recovers the first committed bit wi as wi = wi^i © • • • © Also he accepts the 
second commitment if and only if /i^(z-) = Xi and yi = fn{xi) for every i, and recovers 
the second committed bit ?('2 as w'2 — ""'2.1 © • • • © '"'2./(2- 

Figure 3: Protocol 2 
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and ^2(^2) is of the form 

|/l2,l>2,l(2;i))0(^2_,)O ••• ® |/i2,n2,^2,n2(a;^))e(«,2^„2)- 

Let W{xi,wi^i, 7^2,1) be the composition of the i-th components of Zi{'Wi) and ^2(^2), that 
is, 

W{xi, wi^i,W2,i) = /ii,i(/n(a;j)))e(ii;i,,)l^2,i, ^2,i (a:^i))0(«>2,») • 

Since t^i^i, . . . , „2 and t(;2,i, . . . , W2,n2 are randomly chosen so as to satisfy that wi = 
If 1,1 © • • • ® Wi n2 and W2 = ^^"2,1 ® • • • ® ■u^2,n2) we may assume that wij and ^2^ with j ^ J 
are uniformly and independently chosen from {0, 1} and wi^j and W2,j are determined by wi, 
W2, and all wij and t(72,j such that j ^ J. Thus, we can say that W{xi,wi^i,W2^i) such that 
i ^ J does not depend on the value of wi and 1112 ■ 

On the other hand, W{xj, wij,W2j) depends on the value wi and W2- But, we can show 
that it is l/n'^(^)-close to the uniform distribution by using the proof for the 2nd property of 
Theorem[521 From Lemma EH we can say that (Zi(0), ^2(0)), (Zi(0), ^2(1)), (Zi(l), ^2(0)) 
and ^2(1)) are l/n'^^^^-close to each other. □ 

Theorem 6.2 Let f = {/„ : {0,1}" — )• {0, Ij^^j^gN be an s{n)-secure quantum one-way 
function family, where s{n) = n^^^K Then Protocol 2 with setting of parameters Ai = A2 = 
I log s(n), is a 2-parallel quantum hit commitment scheme that is computationally l-out-of-2 
binding regardless of the setting of t. 

The above theorem says that Protocol 2 has l-out-of-2 binding property. Specifically 
speaking, the computational binding of the first half commitment can be guaranteed in some 
case and the statistical binding of the second half commitment can be guaranteed in the other 
case. The computational binding of the first half commitment in Protocol 2 is reduced to the 
computational binding of the first half commitment in Protocol 1. The statistical binding of 
the second half commitment in Protocol 2 can be shown by a probabilistic argument. 

To prove that Protocol 2 is computationally l-out-of-2 binding, we have to specify a set 
that controls the l-out-of-2 property as in the proof of Theorem l5.ll In the proof of Theorem 
15.11 St is such a set. For the proof of Theorem 16.21 we will use S[ = {(xi, . . . , x„2) € 

2 

({0, l}")" : 3i, Xi e St}- Even if we can use the reduction to the j-th subprotocol, we cannot 
know whether Xj G St or not. If Xj G St, then the reduction goes through. If we cannot 
assume that that Xj £ St, we can say that xj G {0, 1}". Since we do not have to know some 
underlying relation to apply Non-interactive Quantum Hashing Theorem, we can show that 
the reduction still goes through. 

Proof. The proof is similar to the proof for Theorem 15.11 For every t G [l,ra], we define 
the set of "heavy" strings to be 

51 = {(xi, . . . , x„2) G ({0, irf : 3i, X. G St}, 
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where St is defined in the proof of Theorem 15.11 

We will show that if (xi, . . . ,x„2) G S'f is chosen in the first step of Commit Phase then 
the first half is binding and if (xi, . . . , x„2) S'^ then the second half is binding. 

First, we show a reduction from inverting /„ to violating the binding property of Protocol 2 
in the case of {xi, . . . , x„2) G S'^. Recall that in the proof of Theorem 1 5. II : H^^^ x {0, 1}" — )• 
H^^") X {0,1}*^^^ is a function that maps {h,x) to {h,h{fn{x))), R'^ = {{fn{h,x),{h,x)) : 
X £ St and h e and Wh,r, = {x e {0,1}" : (r?, (/i,x)) G R'J. We also define Rn = 

{{fUh, x), (h, x)):x€ {0, 1}" and h G 

Let ^3 be a quantum algorithm to violate the binding property of Protocol 2 with proba- 
bility e{n). This means that ^3 can send a quantum state in Commit Phase so that Bob can 
accept it either as 0-commitment with probability bQ{n) and as 1-commitment with prob- 
ability 6i(n), where b{n) = 6o(n) -|- 61 (n) > 1 + e(n). To make Bob accept the quantum 
state as a valid commitment in Protocol 2, ^3 has to make Bob accept all executions of 
sub-protocol Protocol 1. Let {n) be the probability that ^3 can make Bob accept the z-th 
sub-protocol as u;-commitment. We set b^^\n) = bQ\n) -\-bi\n). Let bQ^n) (resp., bi{n)) be 
the probability where ^3 fails to make Bob accept the quantum state as 0-commitment (resp., 
1-commitment). Similarly, we define ?)Q^(n) and bi\n) for each i G [l,n^]. Then, we have 
bo{n) + 61 (n) < 1 — e. Since the failure probabilities are accumulative, there exists an index 
j G [1, n^] such that V) + b^i\n) <l-e. Hence, we have 60 ^(n) + b^^\n) >l + e. Thus, 
we can assume that a quantum algorithm ^4 to violate the binding property of Protocol 1 
with probability e. Note that the violation (by ^4) against the binding property of Protocol 
1 is respect to either Rn or R'^. Fortunately, we do not have to know which relation should 
be considered, since the algorithm with respect to Rn is the same as the one with respect to 
R'n- If A4 violates the binding property of the j-th sub-protocol and xj G St, A4, does with 
respect to R'n- If A4, violates the binding property of the j-th sub-protocol and Xj G {0, 1}"", 
A4 does with respect to Rn- Here, we consider only the case that A^ does with respect to 
R'^, since the other case is similar and easier to show. 

From Theorem 14. H we have another algorithm ^5 satisfying that 

P4A5iH(^''\H(^'^\fn{ui'^)), - - - ,H(^'^'\H(^'^'\fn{uf^ 

where H^^'^\ . . . , are independent and identical distributions to H^^^ and Un\ . . . , 

are independent and identical distributions to Un- 

By the similar discussion in the proof of Theorem 15. H we can say that 

P.[A,{H(^''\H(^''){fniuL'^)),---,H(^'^-'),H('^^-^){f^^^^^ 

We consider an algorithm B that on input y = fn{x), picks randomly an integer / G 
[l,n^], a hash function h G H'^'^\ B also picks randomly xi, . . . , Xj/^i, . . . , x„2 and 
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/ii,...,/ijv_i,/ij,+i,...,/i„2, computes yi = . . . , = fn{xj'-i),yj'+i = fn{xj'+i),.. 

/n(x„2) and outputs the second part of ^5(/ii, /ii(yi), . . . , 
h, h{y), /ij'+i, . . . , /i„2, /i„2(y„2)). Then, we have the following. 

> E^^^d) [Pr[A(/ll, /ll(/n(f/l'^)), . . . , /ii'-l, /i, h{fn{Un)), 

Aj=/Az £/-!(/„([/„))]] 

= ^ • E^^^a) [Pr[A(/ll, /ll(/n(f/^'))), . . . , KUUn)), 

hj'+i, hy+^iUU^M))^ . . . , /l„2, /i„2(/„([/("')))) = (j, z) 

G f-HfniUn))]]- 

The rest of the probabilistic analysis is similar to the proof of Theorem 15.11 This shows that 

FliBifniUn)) G fnHfniUn))] > sifl)'^/^ ■ sin)^ / 64n\ 

which is greater than l/s{n) if e is non-negligible. 

Next, we consider the case (xi, . . . , x^^) S'/.. By the definition of S'^, we have Xi St for 
all i. Thus, we can use the discussion for the proof of Theorem 15.11 for each bit W2,i- This 
means that the value of U^\n) is less than 1 + l/n^^"^^ for each bit W2^i- Let us consider 
the event that Bob accepts the quantum state sent by Alice in Commit Phase of Protocol 
2 as 0-commitment (or, 1-commitment). Let p be the probability that this event occurs. 
Since this even occurs if Bob accepts all decommitments of the sub-protocol, we can write 
P = Pi ■ ■ ■ ■ Pn'^ 1 where pi is either the probability that Bob accepts the quantum state sent 
by Alice in Commit Phase of the i-th sub-protocol as 0-commitment or the probability that 
Bob accepts the quantum state sent by Alice in Commit Phase of the i-th sub-protocol as 1- 
commitment. Thus, the best strategy for cheating is to behave honestly for — 1 executions 
of the sub-protocol and maliciously for just one execution. Hence, we can upper-bound 6(n) 
by l«'-i(l + l/n"(i)) = l + □ 

7 Statistically-Hiding Commitment from (^) -Binding Com- 
mitment 

We have obtained the strongly-hiding l-out-of-2 binding quantum commitment based on 
quantum one-way function. But it is not a single scheme but a family of scheme candidates. 
First, we construct a family of candidates for normal statistically- hiding quantum bit com- 
mitment from the family of candidates for the strongly-hiding l-out-of-2 binding quantum 
commitment. Next, we construct a single normal statistically- hiding quantum bit commit- 
ment from the family of candidates for the statistically- hiding quantum bit commitment. 
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7.1 Statistically-Hiding Quantum Commitment Family from (^) -Binding 
Quantum Commitment Family 

Protocol 2 consists of the first half commitment and the second half commitment. We denote 
by P2first(ri;i) the first half commitment with the committed bit wi and by P2second(?i;2) 
the second half commitment with the committed bit W2- We consider the protocol (called 
Protocol 3) in Figure [H 

Parameters: Integers t G [l,n], Ai € [0,t] and A2 G [0,n — t]. (These are succeeded to the 
sub-protocol P2first and P2second.) 

Commit Phase: 

1. Alice with her bit w executes P2first(^i;) and P2second(i(;) in parallel. 
Reveal Phase: 

1. Alice sends decommitments for P2first(t(;) and P2second(t(;) and Bob recovers the com- 
mitted bits w' and w" , respectively. 

2. Bob verifies the correctness of the decommitments. If the verification procedures for 
both P2first(tt;) and P2second(tt;) are passed and w' = w" then Bob accepts. 

Figure 4: Protocol 3 

Theorem 7.1 Let f = : {0,1}" — )• {0, be an s{n)-secure quantum one-way 

function family, where s{n) = n^^^\ Then Protocol 3 with setting of parameters Ai = A2 = 
I log s(n), is a computationally-binding quantum bit commitment scheme regardless of the 
setting oft. Also, there exists t = tQ £ such that Protocol 3 with the same parameter 

for Ai and A2 is statistically-hiding. 

The hiding property can be shown by the argument in the proof of Theorem l6.1[ Basically, 
Protocol 3 has the l-out-of-2 binding property. Thus, either P2first or P2second must have the 
binding property. Even if the adversary can violate either P2first or P2second, such violation 
can be detected by the equality check w' = w" in Reveal Phase. Theorem 1 7 . 1 1 can be similarly 
shown as Theorems 16.11 and 16.21 

7.2 From a family To single BC 

As mentioned in Theorem 17. H there exists a value t such that Protocol 3 has both the 
computational binding and statistical hiding. But, we do not know the right value of t. By 
using a similar technique in Section 7, we consider a combined protocol of Protocol with 
different parameters. 
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P3(t, w) denotes the commit phase of Protocol 3 with the committed value w and param- 
eter t. We consider the protocol (called Protocol 4) in Figure [5l 

Parameters: Integers Ai G [0,t] and A2 G [0,n — t]. (These are succeeded to the sub- 
protocol P3.) 

Commit Phase: 

1. Alice with her bit w chooses wi, . . . ,Wn & ({0, 1})" such that w = wi (B ■ • • (B Wn- 

2. Alice executes P3{l,wi), . . . , P3(n, Wn) in parallel. 

Reveal Phase: 

1. Alice sends decommitment of P3{i,Wi) for each i and Bob obtains the committed bits 
w'^ for all i and computes w' = w'^ (B • • • w'^^. 

2. Bob verifies the correctness of the decommitments. If all the verification procedures 
are passed then Bob accepts. 

Figure 5: Protocol 4 

Theorem 7.2 Let f = {fn ■ {0,1}" — {Ojlj^jnGN be an s{n)-secure quantum one-way 
function family, where s{n) = 71"^^^^ Then Protocol 4 with setting of parameters Ai = 
A2 = \ log s{n), is a computationally-binding and statistically-hiding quantum bit commit- 
ment scheme. 

Theorem 17.21 can be also shown as Theorems 16.11 and 16.21 

8 Concluding Remarks 

We have derived a quantum and non-interactive version (Non-interactive Quantum Hashing 
Theorem) of the new interactive hashing theorem. As its application, we have constructed a 
statistically-hiding non-interactive quantum bit commitment scheme. We note that by using 
the same discussion we can show the parallel composability of our quantum bit commitment 
scheme. 

In classical cryptography, the interactive hashing theorem has many applications. So, 
we hope that Non-interactive Quantum Hashing Theorem also has many applications to 
quantum cryptography. 
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